Wireless LAN Management w.lilakiatsakun

Topics Wireless LAN fundamental Wireless LAN fundamental –Link characteristic –Band and spectrum –IEEE architecture /channel allocation Wireless LAN Solution Wireless LAN Solution –Adhoc / infrastructure –Load balancing /Extended Service Set (Roaming) –Wireless repeater /bridge Wireless LAN Management Wireless LAN Management Wireless LAN security Wireless LAN security

Wireless Link Characteristics Differences from wired link …. –decreased signal strength: radio signal attenuates as it propagates through matter (path loss) –interference from other sources: standardized wireless network frequencies (e.g., 2.4 GHz) shared by other devices (e.g., phone); devices (motors) interfere as well –multipath propagation: radio signal reflects off objects ground, arriving ad destination at slightly different times Transmission over wireless link induces loss and error more often

Wireless network characteristics A B C Hidden terminal problem B, A hear each other B, A hear each other B, C hear each other B, C hear each other A, C can not hear each other A, C can not hear each other means A, C unaware of their interference at B A B C A’s signal strength space C’s signal strength Signal fading: B, A hear each other B, A hear each other B, C hear each other B, C hear each other A, C can not hear each other interfering at B A, C can not hear each other interfering at B

Unlicensed Spectrum ISM stands for Industrial Scientific and Medical ISM stands for Industrial Scientific and Medical Implementing ISM bands is different for countries Implementing ISM bands is different for countries BandFCC-Freq.(us)ETSI-Freq.(Eu) Main Use ISM MHz MHz Food Process ISM GHz GHz Microwave Oven ISM GHz GHz Medical Scanner

ISM Band Only ISM-2.4 band is available for every country Only ISM-2.4 band is available for every country –Microwave oven –Medical equipment –Communication e.g. wireless LAN, Bluetooth But, it is too crowded But, it is too crowded –Communication use “Spread Spectrum” to avoid interference

IEEE Wireless LAN b b –2.4 GHz unlicensed radio spectrum –Using CCK (Complementary Code Keying) to improve data rate –Backward compatible with DSSS system –Not compatible with FHSS system –Max. at 11 Mbps - Theoretical max capacity (raw data rate) –Max data rate is only 6 Mbps. (only short range and no interference)

IEEE Wireless LAN a a –5 GHz range,OFDM –up to 54 Mbps (31 Mbps – Real throughput) g g –2.4 GHz range - CCK-OFDM backward compatible with IEEE b –up to 54 Mbps (31 Mbps – Real throughput) All use CSMA/CA for multiple access All use CSMA/CA for multiple access

Wireless LAN standards

LAN architecture wireless host communicates with base station wireless host communicates with base station –base station = access point (AP) Basic Service Set (BSS) (aka “cell”) in infrastructure mode contains: Basic Service Set (BSS) (aka “cell”) in infrastructure mode contains: –wireless hosts –access point (AP): base station –ad hoc mode: hosts only BSS 1 BSS 2 Internet hub, switch or router AP

IEEE : multiple access avoid collisions: 2+ nodes transmitting at same time avoid collisions: 2+ nodes transmitting at same time : CSMA - sense before transmitting : CSMA - sense before transmitting –don’t collide with ongoing transmission by other node : no collision detection! : no collision detection! –difficult to receive (sense collisions) when transmitting due to weak received signals (fading) –can’t sense all collisions in any case: hidden terminal, fading –goal: avoid collisions: CSMA/C(ollision)A(voidance)

IEEE MAC Protocol: CSMA/CA sender 1 if sense channel idle for DIFS then transmit entire frame (no CD) 2 if sense channel busy then start random backoff time timer counts down while channel idle transmit when timer expires if no ACK, increase random backoff interval, repeat receiver - if frame received OK return ACK after SIFS sender receiver DIFS data SIFS ACK

Avoiding collisions (more) idea: allow sender to “reserve” channel rather than random access of data frames: avoid collisions of long data frames sender first transmits small request-to-send (RTS) packets to BS using CSMA sender first transmits small request-to-send (RTS) packets to BS using CSMA –RTSs may still collide with each other (but they’re short) BS broadcasts clear-to-send CTS in response to RTS BS broadcasts clear-to-send CTS in response to RTS CTS heard by all nodes CTS heard by all nodes –sender transmits data frame –other stations defer transmissions Avoid data frame collisions completely using small reservation packets!

Collision Avoidance: RTS-CTS exchange AP A B time RTS(A) RTS(B) RTS(A) CTS(A) DATA (A) ACK(A) reservation collision defer

Channel partitioning in wireless LAN With DSSS modulation technique, bandwidth used for one channel is 22 Mbps With DSSS modulation technique, bandwidth used for one channel is 22 Mbps In 2.4 GHz band, bandwidth is only 83 MHz available In 2.4 GHz band, bandwidth is only 83 MHz available So, we need 5 channel space for non- overlapping channel So, we need 5 channel space for non- overlapping channel –Avoiding interference between each other Consider in frequency reuse and capacity increment Consider in frequency reuse and capacity increment

Channel Allocation

Relationship between Data rate and signal strength

802.11: Channels, association b: 2.4GHz-2.485GHz spectrum divided into 11 channels at different frequencies b: 2.4GHz-2.485GHz spectrum divided into 11 channels at different frequencies –AP admin chooses frequency for AP –interference possible: channel can be same as that chosen by neighboring AP! host: must associate with an AP host: must associate with an AP –scans channels, listening for beacon frames containing AP’s name (SSID) and MAC address –selects AP to associate with –may perform authentication

Interferences in wireless LAN Microwave oven – 2450 MHz (1000 watts) Microwave oven – 2450 MHz (1000 watts) –Around channel 7-10 Bluetooth device (0.01 W) Bluetooth device (0.01 W) Cordless Phone Cordless Phone Toys and etc Toys and etc Use Network Strumbler to show signal / noise ratio on wireless LAN channels Use Network Strumbler to show signal / noise ratio on wireless LAN channels

Network Strumbler

Wireless Solution Adhoc Adhoc Infrastructure Infrastructure Load balancing Load balancing Connect wireless LAN without access point Connect wireless LAN without access point Extended Service Set Extended Service Set Extend range with wireless repeater Extend range with wireless repeater Wireless bridge Wireless bridge

Ad hoc Configuration – set as Adhoc / Peer to peer Configuration – set as Adhoc / Peer to peer Set BSSID and channel to use Set BSSID and channel to use

Infrastructure

Load balancing 5 channel space 5 channel space Maximum 3 access point assigned on overlapped area Maximum 3 access point assigned on overlapped area Channel 1 /6 /11 Channel 1 /6 /11

Connect wireless LAN without access point Use a host act as gateway Use a host act as gateway

Extended Service Set Support mobility

Extend range with Wireless repeater

Wireless bridge (Point to point link)

Wireless LAN Management WLAN Management may involves three primary functions: WLAN Management may involves three primary functions: –Discovering the WLAN devices –Monitoring the WLAN devices –Configuring the WLAN devices

Discovering the WLAN devices ICMP, SNMP, Telnet, CLI, AP Scan, RF Scan, CDP etc. are used to discover devices in your WLAN. ICMP, SNMP, Telnet, CLI, AP Scan, RF Scan, CDP etc. are used to discover devices in your WLAN. The dedicated RF sensors that come as additional hardware components with WiFi Manager perform the RF scan and discover every element that is transmitting on the air and ensures a 100% complete discovery of WLAN devices. The dedicated RF sensors that come as additional hardware components with WiFi Manager perform the RF scan and discover every element that is transmitting on the air and ensures a 100% complete discovery of WLAN devices.

Monitoring the WLAN devices (1/2) Threshold monitoring: Set threshold values for key parameters and alerts you when the actual values exceed the set threshold levels. Threshold monitoring: Set threshold values for key parameters and alerts you when the actual values exceed the set threshold levels. Service monitoring: Monitors the services running in the Access Points such as the web service. Service monitoring: Monitors the services running in the Access Points such as the web service. Performance monitoring: Monitors the WLAN devices for various parameters such as Tx/Rx traffic and utilization, datarate, channel usage, errors etc. Performance monitoring: Monitors the WLAN devices for various parameters such as Tx/Rx traffic and utilization, datarate, channel usage, errors etc.

Monitoring the WLAN devices (2/2) Trap reception: Receive trap and alert the operator Trap reception: Receive trap and alert the operator Alarms: Show severity to every network failure and generates alarms Alarms: Show severity to every network failure and generates alarms -based notification: Notifies operators through when a fault occurs -based notification: Notifies operators through when a fault occurs

Configuring the WLAN devices It consists of It consists of –AP configuration –Firmware upgrade For management perspective, it can be done as For management perspective, it can be done as –Group management –Individual

Access Point Configuration AP basic configuration AP ACL configuration AP security configuration AP services configuration

AP basic configuration (1/2) SSID – service set identifier for the access point SSID – service set identifier for the access point Allow broadcast SSID – enable/disable AP to broadcast the SSID Allow broadcast SSID – enable/disable AP to broadcast the SSID Allow auto channel select –enable/disable AP to auto select the channel Allow auto channel select –enable/disable AP to auto select the channel Channel – specify the channel at which the AP operates (applicable only if allow autochannel select is NO) Channel – specify the channel at which the AP operates (applicable only if allow autochannel select is NO) Name – name of the access point Name – name of the access point

AP basic configuration (2/2) System Location – sysLocation value of the accesspoint System Contact – sysContact value of the access point Use DHCP – enable/disable DHCP mode in AP LAN IP –IP address of the AP (applicable only if Use DHCP is NO) Subnet Mask – mask value Gateway IP – IP address of the gateway DNS server IP – IP address of the DNS server

AP ACL configuration WLAN administrators can deny or allow network access to wireless clients by configuring the ACL settings in the access points. WLAN administrators can deny or allow network access to wireless clients by configuring the ACL settings in the access points. Block – prevents access to specified MAC addresses and allows others Pass through – allows only the specified MAC addresses and blocks others

AP Security Configuration WEP – Encrypts data. provide WEP keys 802.1x – Enables user authentication. – –at least one RADIUS server is provided WPA – 802.1x + TKIP + dynamic key distributionWPA PSK – – Uses pre-shared key instead of RADIUS Mixed mode – Allows both WPA as well as non-WPA clients

AP Service Configuration Management services such as SNMP, HTTP, Telnet, and NTP running in access points can be configured. Management services such as SNMP, HTTP, Telnet, and NTP running in access points can be configured. SNMP: Enable/Disable, Read/Read-Write Community, Trap Destination/ Community, Enable Trap Notifications SNMP: Enable/Disable, Read/Read-Write Community, Trap Destination/ Community, Enable Trap Notifications HTTP: Enable/Disable, HTTP Port HTTP: Enable/Disable, HTTP Port Telnet: Enable/Disable, Telnet Port Telnet: Enable/Disable, Telnet Port NTP: Enable/Disable, NTP Server Address NTP: Enable/Disable, NTP Server Address

Wireless LAN security management (1/2) Common attack and vulnerability Common attack and vulnerability –The weakness in WEP & key management & user behavior –Sniffing, interception and eavesdropping –Spoofing and unauthorized access –Network hijacking and modification –Denial of Service and flooding attacks

Wireless LAN security management (2/2) Security countermeasure Security countermeasure –Revisiting policy –Analysis threat –Implementing WEP –Filtering MAC –Using closed systems and Networks –Securing user

The weakness in WEP & key management & user behavior Several papers were published to show vulnerabilities on WEP and tools to recover encryption key Several papers were published to show vulnerabilities on WEP and tools to recover encryption key –AirSnort ( –WEPCrack IEEE outline that the secret key used by WEP needs to be controlled by external key management IEEE outline that the secret key used by WEP needs to be controlled by external key management –Normally, key management is done by user (define 4 different secret keys) –RADIUS (Remote Dial-In User Service) not use in small business or home users

The weakness in WEP & key management & user behavior Users often operate the devices on default configuration Users often operate the devices on default configuration –SSID broadcast – turn on –Default password as a secret key 3com product – comcomcom 3com product – comcomcom Lucent product is the last five digit of network ID Lucent product is the last five digit of network ID

Sniffing, interception and eavesdropping Sniffing is the electronic form of eavesdropping on the communications that computer have across network Sniffing is the electronic form of eavesdropping on the communications that computer have across network Wireless networks is a broadcast (shared) link Wireless networks is a broadcast (shared) link Every communication across the wireless network is viewable to anyone who is listening to the network Every communication across the wireless network is viewable to anyone who is listening to the network Not even need to associated with the network Not even need to associated with the network

Sniffing tools All software packages will put network card in promiscuous mode, every packet that pass its interface is captured and displayed All software packages will put network card in promiscuous mode, every packet that pass its interface is captured and displayed Ethereal Ethereal – OmniPeek OmniPeek – Tcpdump Tcpdump – Ngrep Ngrep –

Spoofing and unauthorized access Spoofing- An attacker is able to trick your network equipment into thinking that the connection is from one of allowed machines Spoofing- An attacker is able to trick your network equipment into thinking that the connection is from one of allowed machines Several way to accomplish Several way to accomplish –Redefine MAC address to a valid MAC address –simple Registry edit for windows –On unix with a simple command from root shell –SMAC (software packages on windows)

Network hijacking and modification Malicious user able to send message to routing devices and APs stating that their MAC address is associated with a known IP address Malicious user able to send message to routing devices and APs stating that their MAC address is associated with a known IP address From then on, all traffic that goes through that router (switch) destined for hijacked IP address will be handoff to the hijacker machine From then on, all traffic that goes through that router (switch) destined for hijacked IP address will be handoff to the hijacker machine ARP spoof or ARP poisoning ARP spoof or ARP poisoning

Network hijacking and modification If the attacker spoofs as the default gateway If the attacker spoofs as the default gateway –All machines trying to get to the network will connect to the attacker –To get passwords and necessary information Use of rogue AP Use of rogue AP –To receive authentication requests and information

Denial of Service and flooding attacks One of the original DoS attacks is known as a ping flood One of the original DoS attacks is known as a ping flood –A large number of hosts or devices to send and ICMP echo to a specified target One of possible attack would be through a massive amount of invalid or valid authentication requests. One of possible attack would be through a massive amount of invalid or valid authentication requests. –Users attempting to authenticate themselves would have difficulties in acquiring a valid session If hacker can spoof as a default gateway, it can prevent any machine from wireless network to access the wired network If hacker can spoof as a default gateway, it can prevent any machine from wireless network to access the wired network

WLAN Security countermeasure Security countermeasure Security countermeasure –Revisiting policy –Analysis threat –Implementing WEP –Filtering MAC –Using closed systems and Networks –Securing user

Revisiting policy Adjust corporate security policy to accommodate wireless networks and the users who depend on them Adjust corporate security policy to accommodate wireless networks and the users who depend on them Because of wireless environment Because of wireless environment –no visible connection – good authentication required –Ease of capture of RF traffic – good policy should not broadcast SSID and should implement WEP –Not use default name or password in operating AP devices

Analyzing the threat (1/2) Identify assets and the method of accessing these from an authorized perspective Identify assets and the method of accessing these from an authorized perspective Identify the likelihood that someone other than an authorized user can access the assets Identify the likelihood that someone other than an authorized user can access the assets Identify potential damages Identify potential damages –Defacement –Modification –Theft –Destruction of data

Analyzing the threat (2/2) Identify he cost to replace, fix, or track the loss Identify he cost to replace, fix, or track the loss Identify security countermeasures Identify security countermeasures Identify the cost in implementation of the countermeasures Identify the cost in implementation of the countermeasures –Hardware/software/personnel –Procedures /limitations on access across the corporate structure Compare costs of securing the resources versus the cost of damage Compare costs of securing the resources versus the cost of damage

Implementing WEP To protect data sniffing during session To protect data sniffing during session 128-bit encryption should be considered as a minimum 128-bit encryption should be considered as a minimum –Most APs support both 40-bit and 128-bit encryption WEP advantages WEP advantages –All messages are encrypted so privacy is maintained –Easy to implement –WEP keys are user definable and unlimited

Implementing WEP WEP disadvantages WEP disadvantages –The RC4 encryption algorithm is a known stream cipher can be broken –Once the key is changed, it needs to be informed to everyone –WEP does not provide adequate WLAN security Only eliminate the curious hacker who lacks the means or desire to really hack your network Only eliminate the curious hacker who lacks the means or desire to really hack your network –WEP has to be implemented on every client as well as every AP to be effective

Filtering MAC To minimize the a number of attack To minimize the a number of attack –More practical on small networks It can be performed at the switch attached to the AP or on the AP itself It can be performed at the switch attached to the AP or on the AP itself MAC filtering advantages MAC filtering advantages –Predefined users are accepted/ filtered MAC do not get access MAC filtering disadvantages MAC filtering disadvantages –Administrative overhead- large amount of users –MAC address can be reprogrammed

Using closed systems and networks Turn off broadcasting SSID, use proper password (WEP) Turn off broadcasting SSID, use proper password (WEP) Select “close wireless system” Select “close wireless system” Advantages Advantages –AP does not accept unrecognized network requests –Preventing Netstrumbler snooping software –Easy to implement Disadvantages Disadvantages –Administration required for new users and changes

Securing users Educate the users to the threats and where they are at risk Educate the users to the threats and where they are at risk –How proper password is set ? Provide policies that enable them to successfully secure themselves Provide policies that enable them to successfully secure themselves –Change password on regular interval –At least password length Create policies that secure user behind the scenes Create policies that secure user behind the scenes –Filtering traffic

Securing users Some of the rule sets that should be in place with the respect to wireless Some of the rule sets that should be in place with the respect to wireless –No rogue access point –Inventory all wireless cards and their corresponding MAC address –No antennas without administrative consent –Strong password on wireless network devices

Other methods VPN VPN WEP + RADIUS WEP + RADIUS WPA2 (Wi-Fi Protected Access) WPA2 (Wi-Fi Protected Access) WPA + RADIUS WPA + RADIUS 802.1x 802.1x –EAP-MD5, LEAP (cisco), EAP-TLS, EAP-TTLS MAC +WPA + RADIUS MAC +WPA + RADIUS –Mahanakorn solution Web recommendation

802.11i Known As WPA2 and also called RSN (Robust Security Network) i makes use of the Advanced Encryption Standard (AES) block cipher, whereas WEP and WPA use the RC4 stream cipher The i architecture contains the following components: – –802.1X for authentication – –RSN for keeping track of associations, – –AES-based CCMP to provide confidentiality integrity and origin authentication.

802.1x (1/2) It provides an authentication mechanism to devices wishing to attach to a LAN port. Either establishing a point-to-point connection or preventing access from that port if authentication fails. It is used for most wireless access points and is based on the Extensible Authentication Protocol (EAP).

802.1x (2/2)

802.11n (new WLAN standard) To improve performance and security for WLAN To improve performance and security for WLAN –Net bandwidth 248Mbps –Operate both5 Ghz and 2.4Ghz band Technology changes: Technology changes: –MIMO (Multiple input Multiple Output) –Channel Bonding can simultaneously use two separate non-overlapping channels to transmit data. –Frame Aggregation –Backward Compatibility